roblabla
commented
4 years ago Alright small update: I managed to identify the code in the steam client that interacts with the Steam Controller. And fortunately, a lot of symbols and assert messages are left over, allowing me to find the official name for more or less every single packet, along with a whole host of packets that seem to be used for other valve hardware - The valve index and steam controller share a lot of code.
I'll update the table above with this newfound information as I go.
tiehichi
nrc4867
MichaelZaugg
This is an issue to gather information about the HID Controller Interface protocol, as described here.
Look at #25 for my current progress.
Old information
The HID Controller Interface is interfaced either via Firmware USB EP3 , Bootloader USB EP1, or via some currently unknown wireless mechanism. It works by transferring buffers of 0x40 bytes. The first byte is a packet id, while the second byte is the length of the additional data. Here is a packetid table containing both bootloader and firmware packets as of 57bf5c10. Host->Controller: Packet ID | Name | Controller Bootloader | Controller Firmware | Dongle | Description ----------|--------|---------------------|------------------|------------|---------- 0x80 | | ⛔️ | ✅ | | 0x81 | ExitLizardMode | ⛔️ | ✅ | ❓ | Exits the "lizard mode" - Tells the steam controller to acting like a dumb keyboard/mouse combo. Might need to be sent periodically? 0x82 | | ⛔️ | ✅ | | 0x83 | [ControllerInfoRequest](#ControllerInfoRequest) | ✅ | ✅ | | Asks the controller to send its ControllerInfo. 0x85 | | ⛔️ | ✅ | | 0x87 | [SetSettings](#SetSettings) | ⛔️ | ✅ | ❓| Sets the controller settings 0x89 | | ⛔️ | ✅ | | 0x8d | | ⛔️ | ✅ | | 0x8e | | ⛔️ | ✅ | | 0x8f | TriggerHapticPulse | ⛔️ | ✅ | | 0x90 | ReinvokeISP | ✅ | ✅ | ❓ | Reinvokes the LPC ISP Firmware (ISP being what happens when you boot while holding the right trigger). Seems to also work on the dongle? 0x91 | EraseLPCFirmware | ✅ | ⛔️ | | Erases the LPC firmware. 0x92 | FlashLPCFirmware | ✅ | ⛔️ | | Flashes a chunk of LPC firmware. 0x93 | VerifyLPCFirmware | ✅ | ⛔️ | | Finishes flashing the LPC firmware, and validates it against a checksum. 0x95 | ResetSOC | ✅ | ✅ | | Restarts both LPC and NRF CPUs. 0x96 | SetPrngEntropy | ⛔️ | ⛔️ | ✅ | Sends a block of 0x10 random bytes to the device. 0x97 | EraseNRFFirmware | ✅ | ✅ | | (Supposedly, no RE) Erases the NRF Firmware 0x98 | FlashNRFFirmware | ✅ | ✅ | | (Supposedly, no RE) Flashes a chunk of NRF Firmware 0x99 | VerifyNRFFirmware | ✅ | ✅ | | (Supposedly, no RE) Finishes flashing the NRF firmware, and validates it against a checksum. 0x9a | | ⛔️ | ✅ | | Sends data to the nRF chip, wrapped in a packet ']'. 0x9f | TurnOffController | ⛔️ | ✅ | ✅ | 0xa7 | CalibrateTrackpads | ⛔️ | ✅ | | 0xa9 | | ⛔️ | ✅ | | 0xa0 | SetHardwareVersion | ✅ | ⛔️ | | THIS COMMAND IS EXTREMELY DANGEROUS 0xaa | | ⛔️ | ✅ | | 0xab | | ⛔️ | ✅ | | 0xac | | ⛔️ | ✅ | | 0xad | SetDonglePairingMode | ⛔️ | ⛔️ | ✅ | 2 byte args 0xae | ControllerInfoRequest | ⛔️ | ✅ | | 0xb1 | SetControllerKeyboardMouseInputState | ⛔️ | ⛔️ | ✅ | 0xb2 | PairingFailed | ⛔️ | ⛔️ | ✅ | 0xb3 | PairingSuccess | ⛔️ | ⛔️ | ✅ | 0xb4 | GetControllerInfo | ⛔️ | ⛔️ | ✅ | 0xb5 | CalibrateIMU | ⛔️ | ✅ | | 0xb6 | PlayAudio | ⛔️ | ✅ | | Plays the selected jingle 0xb7 | StartFlashJingle | ⛔️ | ✅ | | Does something weird with the jingle_data_ptr :eyes: 0xb8 | FlashJingle | ⛔️ | ✅ | | Writes data to the jingle flash buffer 0xb9 | EndFlashJingle | ⛔️ | ✅ | | Finishes flashing a jingle, writing it to eeprom after making sure it looks somewhat valid. 0xba | GetChipID | ⛔️ | ✅ | | 0xbb | ReadUID | ⛔️ | ✅ | | Returns the result of ISP ReadUID. 0xbf | CalibrateJoystick | ⛔️ | ✅ | | Sets eeprom field 0x34 with some computed data 0xc1 | SetAudioMapping | ⛔️ | ✅ | | Sets the jingle to play for various events 0xc5 | SetUserLedColor | ⛔️ | ⛔️ | | 0xc6 | SendIRCode | ⛔️ | ⛔️ | | 0xc7 | StopIR | ⛔️ | ⛔️ | | # ControllerInfoRequest/ControllerInfoResponse When sent from Host to Controller, takes no data and asks the controller to send its ControllerInfo. When sent from Controller to Host: The additional data is an array of HardwareInfo, where HardwareInfo is a structure of one byte (Type) and 4 byte (Data). Here are the different types byte observed: Type ID | Name | Bootloader | Description ----------|--------|-----------|--------- 1 | USB PID | ✅ | The same as the USB PID. Likely more useful for wireless transmission. 2 | Unknown | ⛔️ | Firmware always returns 3 4 | Firmware Version | ✅ | Version/timestamp of the firmware running on the LPC side (e.g. 57bf5c10). 5 | NRF Firmware Version | ⛔️ | Version/timestamp of the firmware running on the NRF side 9 | Hardware Version | ✅ | Version of the controller hardware (as stored in EEPROM) 10 | Unknown | ⛔️ | Firmware returns the data stored at DAT_10000078 # SetSettings When sent from Host to Controller: Sets the controller settings. The additional data is an array of ControllerSetting, where ControllerSetting is a structure of one byte (type) and 2 bytes (value). Here are some observed type bytes: Type ID | Name | Description -------|----------|------------- 0x3 | ? | 0x8 | ? | Lizard mode related? Data is 7 when sent to dongle. 0x2d | ? | Sent periodically # SetDonglePairingMode Arguments: - Don't pair: 0x00 0x00 - Start pairing: 0x2 0x3c